Detecting Data Exfiltration

How can I monitor for data exfiltration attempts?


The Problem

A government agency discovered several of its private, internal­ documents were available unsecured on the public Internet. The agency's security team quickly performed a forensic investigation to determine possible sources of the data leak. They took steps to isolate logical networks and to avoid traversal among production, staging, and corporate traffic. Based on the documents leaked, they zeroed in on the corporate network. Meanwhile, their IPS and IDS tools had not flagged any malicious behavior. The next steps, packet capture or log analysis, would take too much time without a more narrow focus and there was no guarantee that they would be able to find the source using their logs.

Desired Outcome

  • Quickly identify the cause of the data leak and avoid time­-consuming tasks such as packet capture and log analysis
  • Prevent future data leaks

A government agency discovered several of its internal documents unsecured on the Internet...Meanwhile, their IPS and IDS tools had not flagged any malicious behavior. The next steps, packet capture or log analysis, would take too much time without a more narrow focus.


The Solution

Using the ExtraHop platform and going back six months from the time of the internal publishing of the documents, the security team looked for anomalous behavior from all internal clients. They saw no unusual activity to common shadow storage (such as Dropbox) nor any FTP or SSH traffic to external servers. However, while examining user Internet usage, the security team noticed unusual DNS activity. While the average requests per client machine had been consistent, one machine had spikes of DNS traffic significantly higher than normal. The security team drilled down into that client machine and identified three concerning behaviors:

  • The machine was making dozens of DNS requests per second.
  • The DNS traffic exhibited large packet size, many of them 512 bytes, the maximum safe size for UDP packets.
  • The DNS traffic was disproportionately TXT records instead of typical A records.

Given this abnormal DNS behavior, the security team believed that the host had been compromised and that malicious code was using DNS as a tunnel to extract data from the client machine. By combining large packet payloads with high delivery rates, the attacker was able to achieve multiple kilobits per second of throughput with TXT records, which can hold arbitrary data. The security team isolated the device, wiped the system, and was able to recover the user's workspace. They matched the leaked files to those on the client machine and ensured that no new files were leaked because of system compromise.

To prevent future attacks, the team set up a dashboard to look for a number of different indicators of suspicious activity. First, several alerts were setup to identify suspicious DNS behavior. These included alerting on the combination of requests but also on DNS requests from regions where they did not conduct business. Next, a combination of three systems were monitored, first, the amount of database transfers was plotted on a chart, the daily quantity of transfers was generally the same and any spike would indicate a potential issue. Second, using an ExtraHop Application Inspection Trigger the team monitored for outgoing SSH connections from any of its key databases (outgoing SSH connections were strictly prohibited). And finally, the team plotted and monitored authentication attempts to expose any brute force or slow-loris type guessing attempts.

User Impact

The security team was able to quickly identify the compromised machine and stop the data exfiltration something they wouldn't have discovered via their log, IPS, or IDS analysis. Because of ExtraHop's auto­discovery of all L2­ - L7 communication and it's ability to transform wire data to a well formatted syslog message and stream its dataset to their SIEM, the platform became part of their pervasive security monitoring strategy. They also set up all of their databases containing personally identifiable information (PII) into a device group within ExtraHop and set alerts based on client requests, size of database response, logins, and protocols in use to flag any unusual behavior that would indicate exfiltration. They have also set up deep encryption analysis to ensure that all sensitive data in flight are encrypted with the correct SSL version, key, and cipher strength. Auditing and reporting has become much simpler and factual. ExtraHop's ability to observe all communication and transactions on the wire has added a wholly new perspective, based on continuous observation, to their security monitoring and analytics strategy.

Contact us Try our free online demo